Georgia Imposes Legal Requirements For Discarding Customer Records

On May 2, 2002, Governor Roy E. Barnes signed Senate Bill 475, which requires that businesses follow specified guidelines for discarding records containing the personal information of customers. Importantly, businesses that violate this new legislation are subject to a maximum fine of $10,000. The bill also establishes a crime of "identity fraud" and provides for a private right of action for both business and consumer victims.

Under the legislation, businesses that are not otherwise governed by the privacy provisions of federal law must take specific actions prior to discarding any record that contains a customer’s personal information. "Business" is broadly defined, and includes sole proprietorships, partnerships, corporations and associations, whether or not organized for profit.

The new law provides four methods by which a business can discard a record containing a customer’s personal information. First, the business may choose to shred the customer’s record. Second, the business may erase the personal information contained in the customer’s record before discarding it. Third, the customer’s record may be modified to ensure that the personal information is unreadable. Finally, if the business chooses to use the services of a third party specializing in record destruction, the business is required to take action that it "reasonably believes" will ensure that no unauthorized person has access to the personal information contained on the record prior to its ultimate destruction.

A business that fails to properly discard records containing personal information may be subject to a fine of up to $500 per record, up to an aggregate maximum of $10,000. A business may avoid liability by showing it used "due diligence" in its attempt to properly dispose of or discard its customer’s records.

The bill also establishes the crime of "identity fraud", when a person, without authorization or permission of another, and with the intent unlawfully to appropriate resources of or cause physical harm to that other person, (i) obtains or records identifying information which would assist in accessing the resources of that person, or (ii) accesses or attempts to access the resources of that person through the use of identifying information. In addition to imprisonment and fines that can be as high as $250,000 for repeated offenses, the statute permits both business and consumer victims to bring civil actions for actual and punitive damages, plus attorney's fees. Consumer victims may also bring class actions. If the violation of the statute is intentional, courts are required to impose awards equal to three times the actual damages.